P
US11397692B2ActiveUtilityPatentIndex 86

Low overhead integrity protection with high availability for trust domains

Assignee: INTEL CORPPriority: Jun 29, 2018Filed: Jun 29, 2018Granted: Jul 26, 2022
Est. expiryJun 29, 2038(~12 yrs left)· nominal 20-yr term from priority
Inventors:CHHABRA SIDDHARTHAAGARWAL RAJATPATEL BAIJUYAP KIRK
G06F 21/85H04L 9/14G06F 21/53H04L 2209/34H04L 9/3242G06F 9/45558G06F 21/602G06F 21/72G06F 12/145G06F 12/1408G06F 21/64G06F 21/78G06F 2009/45579
86
PatentIndex Score
8
Cited by
13
References
21
Claims

Abstract

Techniques are described for providing low-overhead cryptographic memory isolation to mitigate attack vulnerabilities in a multi-user virtualized computing environment. Memory read and memory write operations for target data, each operation initiated via an instruction associated with a particular virtual machine (VM), include the generation and/or validation of a message authentication code that is based at least on a VM-specific cryptographic key and a physical memory address of the target data. Such operations may further include transmitting the generated message authentication code via a plurality of ancillary bits incorporated within a data line that includes the target data. In the event of a validation failure, one or more error codes may be generated and provided to distinct trust domain architecture entities based on an operating mode of the associated virtual machine.

Claims

exact text as granted — not AI-modified
What is claimed: 
     
       1. A system for cryptographic memory isolation, the system comprising:
 processing circuitry to execute a plurality of instructions, wherein each instruction is associated with one virtual machine (VM) of multiple virtual machines (VMs); and 
 memory circuitry communicatively coupled to the processing circuitry and comprising a memory controller to:
 perform at least write operations via the memory circuitry, wherein to perform a write operation associated with a first VM of the multiple VMs includes to:
 generate a first message authentication code (MAC) based on a combination of at least first target data to be stored via the write operation, a first cryptographic key that is specific to the first VM of the multiple VMs, and a first physical memory address in which the first target data is to be stored via the write operation; 
 
 perform, subsequent to the write operation, a first read operation associated with the first VM of the multiple VMs, wherein to perform the first read operation includes to:
 generate a second message authentication code (MAC) based on a combination of at least the first target data retrieved from the first physical memory address, the first cryptographic key that is specific to the first VM of the multiple VMs, and the first physical memory address; and 
 determine that no integrity failure has occurred based on a comparison of the first MAC and the second MAC; and 
 
 perform, subsequent to the write operation, a second read operation at the first physical memory address by a second VM of the multiple VMs, wherein to perform the second read operation includes to:
 generate a third message authentication code (MAC) based on a combination of at least the first target data retrieved from the first physical memory address, a second cryptographic key that is specific to the second VM of the multiple VMs, and the first physical memory address; and 
 detect an integrity failure based on a comparison of the first MAC and the third MAC. 
 
 
 
     
     
       2. The system of  claim 1 , wherein the memory controller is to generate the first MAC via one or more cryptographic algorithms, wherein a distinct other cryptographic key is used to encrypt the first target data. 
     
     
       3. The system of  claim 1 , wherein the first cryptographic key that is specific to the first VM is associated with a first instruction of the plurality of instructions, and wherein the first instruction caused the processing circuitry to initiate the write operation. 
     
     
       4. The system of  claim 1 , wherein:
 the memory circuitry is further to provide, responsive to the detection of the integrity failure, an indication to the processing circuitry that the integrity failure has been detected; and 
 the processing circuitry is further to determine an operating mode of the second VM associated with a second instruction that caused the processing circuitry to initiate the second read operation, to generate an error code responsive to the indication from the memory circuitry, and to provide the generated error code to a destination that is based on the determined operating mode of the second VM. 
 
     
     
       5. The system of  claim 4 , wherein the generated error code is a page fault code, and wherein the determined operating mode of the second VM is one of a group that includes a trust domain (TD) non-root mode, a TD root mode, a VM extension (VMX) root mode, and a VMX non-root mode. 
     
     
       6. The system of  claim 1 , wherein to perform the write operation further includes to store additional information comprising a plurality of secondary bits as part of a data line that includes the first target data to be stored via the write operation, and wherein the additional information comprising the plurality of secondary bits includes the first MAC. 
     
     
       7. The system of  claim 1 , wherein to perform the write operation associated with the first VM of the multiple VMs includes further to:
 embed the first MAC in a data line that belongs to the first VM and that includes the first target data to be stored via the write operation. 
 
     
     
       8. An apparatus for cryptographic memory isolation, the apparatus comprising:
 memory circuitry to:
 perform at least write operations via the memory circuitry, wherein to perform a write operation associated with a first virtual machine (VM) of multiple virtual machines (VMs) includes to:
 generate a first message authentication code (MAC) based on a combination of at least first target data to be stored within the memory circuitry via the write operation, a first cryptographic key that is specific to the first VM of the multiple VMs, and a first physical memory address in which the first target data is to be stored via the write operation; 
 
 perform, subsequent to the write operation, a first read operation associated with the first VM of the multiple VMs, wherein to perform the first read operation includes to:
 generate a second message authentication code (MAC) based on a combination of at least the first target data retrieved from the first physical memory address, the first cryptographic key that is specific to the first VM of the multiple VMs, and the first physical memory address; 
 determine that no integrity failure has occurred based on a comparison of the first MAC and the second MAC; and 
 
 perform, subsequent to the write operation, a second read operation at the first physical memory address by a second VM of the multiple VMs, wherein to perform the second read operation includes to:
 generate a third message authentication code (MAC) based on a combination of at least the first target data retrieved from the first physical memory address, a second cryptographic key that is specific to the second VM of the multiple VMs, and the first physical memory address; and 
 detect an integrity failure based on a comparison of the first MAC and the third MAC. 
 
 
 
     
     
       9. The apparatus of  claim 8 , wherein to generate the first MAC includes to generate the first MAC via one or more cryptographic algorithms, wherein a distinct other cryptographic key is used to encrypt the first target data. 
     
     
       10. The apparatus of  claim 8 , wherein the first cryptographic key that is specific to the first VM is associated with a first instruction of a plurality of instructions that are each associated with one of the multiple VMs, and wherein the first instruction initiated the write operation. 
     
     
       11. The apparatus of  claim 8 , wherein the memory circuitry is further to provide, responsive to the detection of the integrity failure, an indication that the integrity failure has been detected; and wherein processing circuitry is to determine an operating mode of the second VM associated with a second instruction that caused the processing circuitry to initiate the second read operation, to generate an error code responsive to the indication from the memory circuitry, and to provide the generated error code to a destination that is based on the determined operating mode of the second VM. 
     
     
       12. The apparatus of  claim 11 , wherein the generated error code is a page fault code, and wherein the determined operating mode of the second VM is one of a group that includes a trust domain (TD) non-root mode, a TD root mode, a VM extension (VMX) root mode, and a VMX non-root mode. 
     
     
       13. The apparatus of  claim 8 , wherein to perform the write operation further includes to store additional information comprising a plurality of secondary bits as part of a data line that includes the first target data to be stored via the write operation, and wherein the additional information comprising the plurality of secondary bits includes the first MAC. 
     
     
       14. The apparatus of  claim 8 , wherein to perform the first read operation includes further to:
 extract the first MAC from a data line that belongs to the first VM and that includes the first target data retrieved from the first physical memory address. 
 
     
     
       15. A method for cryptographic memory isolation, the method comprising:
 executing each of a plurality of instructions via one or more processors, each instruction being associated with a virtual machine (VM) of multiple virtual machines (VMs) being executed by the one or more processors; 
 performing one or more write operations via memory circuitry communicatively coupled to the one or more processors, wherein a write operation of the one or more write operations that is associated with a first VM of the multiple VMs includes generating a first message authentication code (MAC) based on a combination of at least first target data to be stored via the write operation, a first cryptographic key that is specific to the first VM of the multiple VMs, and a first physical memory address for the first target data; 
 performing, subsequent to the write operation, a first read operation associated with the first VM of the multiple VMs; 
 generating a second message authentication code (MAC) based on a combination of at least the first target data retrieved from the first physical memory address, the first cryptographic key that is specific to the first VM of the multiple VMs, and the first physical memory address; 
 comparing the first MAC to the second MAC to determine that no integrity failure has occurred; 
 performing, subsequent to the write operation, a second read operation at the first physical memory address by a second VM of the multiple VMs; 
 generating a third message authentication code (MAC) based on a combination of at least the first target data retrieved from the first physical memory address, a second cryptographic key that is specific to the second VM of the multiple VMs, and the first physical memory address; and 
 detecting an integrity failure based on a comparison of the first MAC and the third MAC. 
 
     
     
       16. The method of  claim 15 , further comprising encrypting the first target data using a distinct other cryptographic key, and wherein generating the first MAC includes generating the first MAC via one or more cryptographic algorithms. 
     
     
       17. The method of  claim 15 , wherein the first cryptographic key that is specific to the first VM is associated with one instruction of the plurality of instructions, and wherein the method further comprises initiating the write operation responsive to the one instruction. 
     
     
       18. The method of  claim 15 , further comprising:
 generating, responsive to the detecting the integrity failure, an error code indicating that the integrity failure has been detected; 
 determining an operating mode of the second VM associated with the second instruction; and 
 providing the generated error code to a destination that is based on the determined operating mode of the second VM. 
 
     
     
       19. The method of  claim 18 , wherein generating the error code includes generating a page fault code, and wherein determining the operating mode of the second VM includes determining that the operating mode is one of a group that includes a trust domain (TD) non-root mode, a TD root mode, a VM extension (VMX) root mode, and a VMX non-root mode. 
     
     
       20. The method of  claim 15 , wherein performing the write operation further includes storing additional information comprising a plurality of secondary bits as part of a data line that includes the first target data, and wherein the additional information comprising the plurality of secondary bits includes the first MAC. 
     
     
       21. The method of  claim 15 , further comprising:
 embedding the first MAC in a data line that includes the first target data to be stored via the write operation; and 
 extracting the first MAC from the data line that includes the first target data retrieved from the first physical memory address.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.